Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
151s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08/06/2024, 23:27
Static task
static1
Behavioral task
behavioral1
Sample
5223518afbdf5211e2132427b839364d0f83b02e4a3c1256947c99feacb11da2.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5223518afbdf5211e2132427b839364d0f83b02e4a3c1256947c99feacb11da2.exe
Resource
win10v2004-20240226-en
General
-
Target
5223518afbdf5211e2132427b839364d0f83b02e4a3c1256947c99feacb11da2.exe
-
Size
4.0MB
-
MD5
4118f91d13a805a48ed5c5d03ff52054
-
SHA1
194ea8ee61af70fc98afece3f350e5440169f94c
-
SHA256
5223518afbdf5211e2132427b839364d0f83b02e4a3c1256947c99feacb11da2
-
SHA512
8dcab827000a488caf2691e504426a562e5f2b5846a8d81371bae99caa9d24f5c101ecdace81bf514cc4e6587406c50b86d1aeda5f25b35912fff4a7a1b94f71
-
SSDEEP
49152:sxX7665YxRVplZzSKntlGIiT+HvRdpcAHSjpjK3LBpB/bSqz8b6LNXJqI20t:sxX7QnxrloE5dpUpCbVz8eLFcz
Malware Config
Signatures
-
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe 5223518afbdf5211e2132427b839364d0f83b02e4a3c1256947c99feacb11da2.exe -
Executes dropped EXE 2 IoCs
pid Process 2060 sysxbod.exe 1664 devdobec.exe -
Loads dropped DLL 2 IoCs
pid Process 1928 5223518afbdf5211e2132427b839364d0f83b02e4a3c1256947c99feacb11da2.exe 1928 5223518afbdf5211e2132427b839364d0f83b02e4a3c1256947c99feacb11da2.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Parametr = "C:\\AdobeE0\\devdobec.exe" 5223518afbdf5211e2132427b839364d0f83b02e4a3c1256947c99feacb11da2.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\Parametr = "C:\\KaVBER\\dobdevloc.exe" 5223518afbdf5211e2132427b839364d0f83b02e4a3c1256947c99feacb11da2.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1928 5223518afbdf5211e2132427b839364d0f83b02e4a3c1256947c99feacb11da2.exe 1928 5223518afbdf5211e2132427b839364d0f83b02e4a3c1256947c99feacb11da2.exe 2060 sysxbod.exe 1664 devdobec.exe 2060 sysxbod.exe 1664 devdobec.exe 2060 sysxbod.exe 1664 devdobec.exe 2060 sysxbod.exe 1664 devdobec.exe 2060 sysxbod.exe 1664 devdobec.exe 2060 sysxbod.exe 1664 devdobec.exe 2060 sysxbod.exe 1664 devdobec.exe 2060 sysxbod.exe 1664 devdobec.exe 2060 sysxbod.exe 1664 devdobec.exe 2060 sysxbod.exe 1664 devdobec.exe 2060 sysxbod.exe 1664 devdobec.exe 2060 sysxbod.exe 1664 devdobec.exe 2060 sysxbod.exe 1664 devdobec.exe 2060 sysxbod.exe 1664 devdobec.exe 2060 sysxbod.exe 1664 devdobec.exe 2060 sysxbod.exe 1664 devdobec.exe 2060 sysxbod.exe 1664 devdobec.exe 2060 sysxbod.exe 1664 devdobec.exe 2060 sysxbod.exe 1664 devdobec.exe 2060 sysxbod.exe 1664 devdobec.exe 2060 sysxbod.exe 1664 devdobec.exe 2060 sysxbod.exe 1664 devdobec.exe 2060 sysxbod.exe 1664 devdobec.exe 2060 sysxbod.exe 1664 devdobec.exe 2060 sysxbod.exe 1664 devdobec.exe 2060 sysxbod.exe 1664 devdobec.exe 2060 sysxbod.exe 1664 devdobec.exe 2060 sysxbod.exe 1664 devdobec.exe 2060 sysxbod.exe 1664 devdobec.exe 2060 sysxbod.exe 1664 devdobec.exe 2060 sysxbod.exe 1664 devdobec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1928 wrote to memory of 2060 1928 5223518afbdf5211e2132427b839364d0f83b02e4a3c1256947c99feacb11da2.exe 28 PID 1928 wrote to memory of 2060 1928 5223518afbdf5211e2132427b839364d0f83b02e4a3c1256947c99feacb11da2.exe 28 PID 1928 wrote to memory of 2060 1928 5223518afbdf5211e2132427b839364d0f83b02e4a3c1256947c99feacb11da2.exe 28 PID 1928 wrote to memory of 2060 1928 5223518afbdf5211e2132427b839364d0f83b02e4a3c1256947c99feacb11da2.exe 28 PID 1928 wrote to memory of 1664 1928 5223518afbdf5211e2132427b839364d0f83b02e4a3c1256947c99feacb11da2.exe 29 PID 1928 wrote to memory of 1664 1928 5223518afbdf5211e2132427b839364d0f83b02e4a3c1256947c99feacb11da2.exe 29 PID 1928 wrote to memory of 1664 1928 5223518afbdf5211e2132427b839364d0f83b02e4a3c1256947c99feacb11da2.exe 29 PID 1928 wrote to memory of 1664 1928 5223518afbdf5211e2132427b839364d0f83b02e4a3c1256947c99feacb11da2.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\5223518afbdf5211e2132427b839364d0f83b02e4a3c1256947c99feacb11da2.exe"C:\Users\Admin\AppData\Local\Temp\5223518afbdf5211e2132427b839364d0f83b02e4a3c1256947c99feacb11da2.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sysxbod.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2060
-
-
C:\AdobeE0\devdobec.exeC:\AdobeE0\devdobec.exe2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1664
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.0MB
MD53e3bdefe2236fdd881549f350b257c4a
SHA1c07b94e3def90879fd8a31b187079f19900b3518
SHA256e31088fd5c3e897e7e9202321a21056740eae5126f074784091a154d12d34488
SHA512536e326518a86501c9ae3ff312af3aaa6b83d5fcecc844e6cf3a199ac042222560deda52b4a967a3919bfbf9810dc802050b38bfd5ae60ebfeedbdd1bbd8fb2e
-
Filesize
1.7MB
MD5cdd97b53b5ff1c4c91ddadde33a72d19
SHA1e874795b48a2225d7a2708576fd4d0606378c736
SHA256438c7c7dea5c73e6703f67772e6ae3226277177616fe6469e4a85d7a37eb1fde
SHA512e74bbb0f1a6c70a85e4a19f9210eb0a23ba0e66948a6e4ed7d84876eb2015b382eddbad1ef6992eb2581bd54de559a61e47b322cd032e848d367ac45a3f59cc0
-
Filesize
4.0MB
MD53f6afcb754d180f568da1ba75a833e86
SHA14d13e61820ae0694f25fc85fb9a77cf2e83a7f11
SHA25647e8cf813c66d4f29105bcbfad5fe1173fda27b525d51b1179c6174b4f0d5149
SHA512e5c2f2e024a424fd6c24f9dd64ada749a090df670d5b26a0c55ea041a9efa979710a013229b8941e2ec56d88662b09d0920e3516ffc86d6e2f49baa100a57f65
-
Filesize
171B
MD532855409e02fe45e25e2db54268f2141
SHA1b4583c99d59a6a4d1f38596a4f327f9d4a52f4a6
SHA256af4bf2b8437287043cf6e9f57bf060ca247683751ae3fdb576422c6b437f8562
SHA5129ecc4b3574b26bc2cbf8234ff2661389382960cf7e826f94e4cc2f0a1a64fb9d96d55acb62bd12ccb9ae3c8662c8f6029a437a1890ad9b62587a40854ab2465e
-
Filesize
203B
MD515d5ccba2e83c78a824933bb4820efe8
SHA168cdbb253ba85648adabc96f78abf4ef3be1f317
SHA2568eaa5f182388eee5f172d3270bda97f18d461412ff18636a1fcad9e416e634dd
SHA512b8670b97e2c735744259c7e1eb4f78aae1d383b40dd95fc94978b3762a0b021e14ac822303f3f9243709a51b2770baf5a89aa5024ef5a1ba66cf72c3628c02bb
-
Filesize
4.0MB
MD5368ea07137f249ec021ecea4c4e4bfe6
SHA1f9e71f5c8712e92147ac2cfc7c52fb1d7bda8276
SHA256351509666e1191b371a239a07e71ea6e7cde6fbfe028b3a042ea593c6adbc769
SHA51227dfe24c0b60aee3579ef2979a8360388d1e5e5014a5630834d8bd25958b6219b6323ce41a69dbb7ec167b6f6a63eeafe72292e479632adc517ca31759f39c1d